[jira] [Comment Edited] (COMPRESS-661) commons-compress 1.26.0 breaks Apache Tika 2.9.1

Tilman Hausherr (Jira) Tue, 20 Feb 2024 11:39:04 -0800


    [ 
https://issues.apache.org/jira/browse/COMPRESS-661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17818863#comment-17818863
 ]


Tilman Hausherr edited comment on COMPRESS-661 at 2/20/24 7:38 PM:
-------------------------------------------------------------------

{code:java}
ArArchiveInputStream ar = new ArArchiveInputStream(new BufferedInputStream(new 
FileInputStream("....../testARofText.ar")));
System.out.println("ar.markSupported(): " + ar.markSupported());

ArArchiveEntry aentry;
while ((aentry = ar.getNextEntry()) != null)
{
    ar.mark(10);
    ar.read(new byte[10]);
    ar.reset();
    System.out.println("AR: " + new String(ar.readAllBytes()));
}
{code}
This code will fail with 1.25.0 because mark/release is not supported and 
markSupported() is false:
{noformat}
ar.markSupported(): false
Exception in thread "main" java.io.IOException: mark/reset not supported
        at java.base/java.io.InputStream.reset(InputStream.java:655)
        at 
com.mycompany.maventikaproject.TilmanSevenTest.main(TilmanSevenTest.java:62)
{noformat}

With 1.26.0 it will bring this, while markSupported() is true:
{noformat}
ar.markSupported(): true
AR: Test d'indexation de Txt
http://www.a
Exception in thread "main" java.io.IOException: Truncated ar archive
        at 
org.apache.commons.compress.archivers.ar.ArArchiveInputStream.getNextArEntry(ArArchiveInputStream.java:281)
        at 
org.apache.commons.compress.archivers.ar.ArArchiveInputStream.getNextEntry(ArArchiveInputStream.java:351)
        at 
com.mycompany.maventikaproject.TilmanSevenTest.main(TilmanSevenTest.java:58)
{noformat}


was (Author: tilman):
{code:java}
ArArchiveInputStream ar = new ArArchiveInputStream(new BufferedInputStream(new 
FileInputStream("....../testARofText.ar")));
System.out.println("ar.markSupported(): " + ar.markSupported());

ArArchiveEntry aentry;
while ((aentry = ar.getNextEntry()) != null)
{
    ar.mark(10);
    ar.read(new byte[10]);
    ar.reset();
    System.out.println("AR: " + new String(ar.readAllBytes()));
}
{code}
This code will fail with 1.25.0 because mark/release is not supported and 
markSupported() is false:
{code:java}
ar.markSupported(): false
Exception in thread "main" java.io.IOException: mark/reset not supported
        at java.base/java.io.InputStream.reset(InputStream.java:655)
        at 
com.mycompany.maventikaproject.TilmanSevenTest.main(TilmanSevenTest.java:62)
{code}


With 1.26.0 it will bring this, while markSupported() is true:

ar.markSupported(): true
AR: Test d'indexation de Txt
http://www.a
Exception in thread "main" java.io.IOException: Truncated ar archive
        at 
org.apache.commons.compress.archivers.ar.ArArchiveInputStream.getNextArEntry(ArArchiveInputStream.java:281)
        at 
org.apache.commons.compress.archivers.ar.ArArchiveInputStream.getNextEntry(ArArchiveInputStream.java:351)
        at 
com.mycompany.maventikaproject.TilmanSevenTest.main(TilmanSevenTest.java:58)


> commons-compress 1.26.0 breaks Apache Tika 2.9.1
> ------------------------------------------------
>
>                 Key: COMPRESS-661
>                 URL: https://issues.apache.org/jira/browse/COMPRESS-661
>             Project: Commons Compress
>          Issue Type: Bug
>          Components: Compressors
>    Affects Versions: 1.26.0
>            Reporter: Alexander Veit
>            Priority: Critical
>         Attachments: testARofText.ar
>
>
> Apache Commons Compress 1.26.0 fixes
> * https://www.cve.org/CVERecord?id=CVE-2024-25710 and
> * https://www.cve.org/CVERecord?id=CVE-2024-26308.
> We have tried to replace Apache Commons Compress 1.25.0 with 1.26.0 in our 
> deployments in order to fix these security vulnerabilities. But unfortunately 
> now Apache Tika is broken:
> {noformat}
>   org.apache.tika.exception.TikaException: TIKA-198: Illegal IOException from 
> org.apache.tika.parser.iwork.IWorkPackageParser@41fcb910
>     at 
> app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:304)
>     at 
> app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
>     at 
> app//org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:203)
>     at app//org.apache.tika.Tika.parseToString(Tika.java:525)
>     at app//org.apache.tika.Tika.parseToString(Tika.java:495)
>     at ...
>   Caused by: java.io.IOException: Resetting to invalid mark
>     at 
> java.base/java.io.BufferedInputStream.reset(BufferedInputStream.java:446)
>     at 
> org.apache.tika.parser.iwork.IWorkPackageParser.parse(IWorkPackageParser.java:97)
>     at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
>     ... 42 more
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (COMPRESS-661) commons-compress 1.26.0 breaks Apache Tika 2.9.1

Reply via email to